#VU124588 Improper Validation of Syntactic Correctness of Input in Cisco IOS XE - CVE-2026-20114
Published: March 25, 2026
Vulnerability identifier: #VU124588
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20114
CWE-ID: CWE-1286
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote user to escalate privileges and access management APIs that would not normally be available for Lobby Ambassador users.
The vulnerability exists due to improper validation of parameters in the Lobby Ambassador web-based management API when handling HTTP requests. A remote user can send a specially crafted HTTP request after authenticating as a Lobby Ambassador user to escalate privileges and create a new user with privilege level 1 access to the web-based management API.
Successful exploitation allows the attacker to access device management APIs with elevated privileges.
Remediation
Install security update from vendor's website.